96
AI in Cybersecurity: A Nuclear Threat or a Defensive Tool?
View this email in your browser
The weekly newsletter of the Business of Tech, giving you new insights into the world of IT service delivery.
Looking for stories from the podcast stories? Check out the pod itself on Apple Podcasts, Spotify, or daily in your inbox. Stories are available to everyone for five days,and Patreon supporters forever.
Was this forwarded to you? Join the list!
AI in Cybersecurity: A Nuclear Threat or a Defensive Tool?
When you hear AI described as a nuclear threat to cybersecurity, you have no choice but to dig a little further. What is the state of cyber in a world with AI? How can AI transform our incident response? What regulations are needed to survive?
I had these questions and more for Rodrigo Loureiro, the man behind the statement and the CEO of C3, the Cyber Connective Corporation.
With a three-decade career spending CIO, CTO, and CISO for global entities, recognition from the prestigious Microsoft for Startups founder hub, and appearances in front of Congress to advocate for cyber, Loureiro brought some much-needed insights to a bonus episode of The Business of Tech.
Here’s what Loureiro wants you – and your clients – to know about AI’s impact on cybersecurity.
Loureiro’s take on the state of cybersecurity
We began our conversation with the basics. How would Loureiro describe the state of play for cybersecurity? His personal opinion echoes a lot of what we’ve heard from past cyber experts: far too many organizations are still failing at cybersecurity 101.
Loureiro even describes this as a severe lack of ‘cybersecurity hygiene’ and the biggest failure among organizations. Despite the buzz around advanced security, IDSs, and IPSs, has this today:
“if I was king for a day, I would wish all organizations were very good at cybersecurity hygiene. That would solve, in my opinion, 80% of the cybersecurity problems that most organizations face.”
Long time listeners know that my premise to explain this oversight is that from the POV of business owners, cyber doesn’t drive enough revenue to justify the cost.
Loureiro agrees, and even shared an example to illustrate it. In 2015, he was hired by a four-billion dollar private education company while they prepared to IPO. Cybersecurity infrastructure had the potential to increase the financial outcomes of the IPO. So, with the business case for cyber clarified, Loureiro was actually able to put some in place.
Of course, Loureiro believes every company has a business case for cybersecurity. With all companies now digital companies, he sees cyber as fundamental infrastructure.
The problem with regulation
To MSPs and other tech providers, the case for cyber is clear, but we still have to meet business people where they’re at. So what would it look like to have regulation requiring it? After all, we’ve got a bunch of regulations around all kinds of other safety elements for operating a business.
As for Loureiro’s take on regulation:
“I view it as mandatory. I view it as a failure of our government and overall our society, if you will, that we are still missing those regulations,” he said.
At the very bare minimum, Loureiro wants to see existing regulation expanded to include cybersecurity, like the SOX standard for financial reporting and the PCI standard for credit card handling. Anyone can see where cybersecurity would be valuable in those arenas.
What about CISA? I was curious about Loureiro’s take on them, and his view is understandable. They’re great at communications and talk about the right things, but they’re missing teeth like regulatory standards and enforcement.
A bit later on in our convo, I asked Loureiro why the government doesn’t just sanction the internet access of cyber criminals or sanction doing business with countries that peddle them. Pragmatically, he thinks there are too many vested interests in continuing those commercial relationships.
AI as a nuclear threat to cybersecurity
Now, for Loureiro’s lede:
“I see AI as a nuclear threat to cybersecurity because of the massive capabilities of the adversaries or attackers to be able to have an army of fireless bots that can execute and penetrate an organization,” he said.
He described a world where a minor threat like script kiddies are multiplied by millions for 24/7 attacks without needing more than a small computer. Combined with his earlier concern of most organizations lacking basic cybersecurity hygiene, he sees AI as a very serious threat to the stability of our entire digital infrastructure.
I’m less concerned about script kiddies, and more concerned about ransomware run by mafia gangs and near-corporate entities with multi-tier administration arming non-technical people with bots and affiliate programs.
Loureiro applied the same script kiddie logic to my concern:
“The big promise of AI when organizations look at it is increased productivity, increased efficiency. Now, apply it to those nation states and to those mafias and to those gangs that organized cyber crime. AI is going to impact and increase their effectiveness and increase their productivity, which in my book is a terrible thing because they’re already very effective and very productive.”
It’s hard to argue with that.
AI as a line of defense
But don’t interpret Loureiro as anti-AI (per say). He made it clear that he sees AI as the only defense against this:
“If on our side, the defense side, you are hesitant about the use of AI, you are essentially arming your cyber defenses with knives to fight off gunslingers,” he said.
One of the most obvious and important AI applications, he explained, is with cyber security analysts. The industry doesn’t have enough qualified ones, and the ones we do have are overwhelmed with responding to incidents. If we use AI to boost their productivity, we’ll be on the path to preparation.
Similarly, Loureiro also sees an opportunity for AI to sort through the mountains of data we already have available. When we have cybersecurity incidents, analysis usually reveals that we missed clear indicators of compromise or didn’t have the resources to follow up.
We don’t have a shortage of organizations to pull data from, so…
“Where I think that AI can exponentially grow the productivity of our cybersecurity analysts and defenses is in terms of analyzing identifying patterns and identifying threads in the mountains of data that we already have,” he said.
That’s actually where Loureiro’s work is focused now. He’s creating a capability where companies collect all the cybersecurity data that they have in their organizations, centralize it, and then let an AI loose on it 24/7. The goal is to identify threats faster and more effectively than even a small army of cybersecurity analysts.
If Loureiro’s description of AI as a nuclear threat to cybersecurity caught your attention, learn more at www.CyberConnective.ai or head to his LinkedIn.
Have you managed to pitch your customers on cyber’s business value? Where do you stand on regulation? Are you ready to use AI against AI? As always, my inbox is open for stories, takes, or whatever else is on your mind.
More from MSP Radio
Missed Things?
How about our latest videos to catch you up?
The Daily Podcast available as videos
The Evolution of Managed Services with Michael George, CEO of Syncro
Embracing Change: Lessons from a graduate’s journey
Responsible Exploit Disclosure: A New Perspective with MacKenzie Brown from Blackpoint Cyber
Engaging with Students for Talent Acquisition: A Guide for Small Businesses with Don Snyder
Driving Business Outcomes with Identity Solutions: Insights from SailPoint and IDMWorks
The Walls Have Eyes: Exploring Border Technologies with Petra Molnar
Want the Daily News?
All the stories from the daily Business of Tech Podcast are available in the daily digest, and stories are available to everyone for the first five days, and Patreon supporters forever. Catch the audio of the show anytime on Apple Podcasts, Spotify, YouTube, or wherever you find podcasts. Links at businessof.tech
Copyright © 2024 MSP Radio, All rights reserved.
Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.